Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Posted on by
Reply

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Having better risk-based analysis for your banks and credit cards

Posted on by
1

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.

 

Finding the right escape room for your group

Posted on by
1

I am a bit slow to the whole escape room phenomenon, but it seems like a great idea to me. While I am not a computer gamer, I have run sites with that editorial content and know many professional gamers as a result. I am also a big Sudoku and crossword fan, having done those puzzles for more than a decade.

The idea, if you are still not tuned in, is to bring a few friends to a facility and try to escape from a locked room within an hour. You have to solve various puzzles. Actually, you have to find the clues and then figure out the puzzle, without a lot of guidance. If you haven’t ever done a room, you first have to be very observant, looking at what objects have been placed in the room, what information is written on the walls or displayed on various monitor screens, and what objects might lead you to other things. For those of you that don’t like solving puzzles, this is probably not something you are going to like. If you do like puzzles, or if you go to haunted houses every fall (or even build your own), this is probably something you have already checked out.

While I am not a computer gamer, I recognize that many years ago I spent weeks of my life trying to solve the puzzles of Myst. Back then, I said that “Myst starts out a total puzzle, and as you gain skills and understand the sequence of play involved, you get drawn into the universe of the game and lose track of real life and elapsed time.” You can say that about many modern computer games too. The problem with this is that you only have an hour to escape your particular room, and you don’t know how many puzzles you will have along your journey.

Given that there are thousands of rooms in cities all over the world, if you want to try one out the next hurdle is going to be to find one that suits your particular skills, experience, and group. Wouldn’t it be nice if someone reviewed rooms with some sort of consistency? Fortunately, there is a site that does called EscRoomAddict. I spoke to one of their editors, named Jeremie Wood. (You can see a sample of one review here.)

The site has teams of reviewers in LA, Chicago, New York, Kansas City, Denver and Toronto, which is where they began four years ago. They have reviewed more than 400 rooms in North America. There are other sites that have reviews, but not as well organized or as consistent in their evaluations as ERA, as they call themselves. The site doesn’t pay their reviewers, but usually the room operator comps the reviewers to do the room. Many of his reviewers have played 50 or more rooms during their tenure, and Wood himself has lost count but thinks he has been party to at least 180 room reviews.

He told me based on his experience that he doesn’t think the escape room craze has peaked yet, and there are still new rooms being built. One opportunity is to try to attract more corporate customers, who use the room as a team-building exercise. And part of that effort is what motivated the founders to start ERA, so that corporate customers could find the best rooms in a particular location.

The escape room landscape is also changing. “Many of the early operators have closed, mainly because the standards for the best experience keep going up.” You might think that the best rooms are the ones that take the most money to build, but that hasn’t been his observation. “I have seen great rooms that didn’t cost much, and lousy rooms that were very expensive,” he said. ”You don’t have to spend huge amounts of cash, but you do have to know what you are doing and design something that has really great puzzles and a great story.”

One of the reasons I like the ERA site is that it attempts to have consistent review metrics for all of its room reviews. The teams from the various cities met earlier this year here in St. Louis to try to iron out consistent style and to set up minimum requirements for their reviews. The reviewers also try to take into account a wide range of puzzle solving ability in their write-ups. Each room is done by at least three different people, who then collaborate on the review, and they usually agree on their evaluation.

Having been to so many rooms, Wood told me that the average Canadian rooms are smaller and more suitable for 4 to 6 people, whereas in the States, they can hold more participants. Also, in Canada, you usually book a room exclusively for your own group, even if it is smaller than the room capacity. In the US, your team is sharing the room with others if the demand is there.

If you have particular room experiences and want to share them with my readers, please post a comment here.

Why your networking future shouldn’t include NAT

Posted on by
Reply

This post is taken from a recent issue of the Internet Protocol Journal and reused with permission. It is written by Leroy Harvey, a data network architect.

The networking world seems to be losing sight that NAT is a crutch of sorts, a way of dealing with the primary problem of a lack of IPv4 addresses. An earlier article in IPJ stated that NAT provides a firewall function. I think NATs and firewalls are mutually exclusive, even if they are found on the same networking device. This is because NATs don’t by themselves provide any natural protection from the host on the other side of a protection point. The two can operate independently.

NAT does present real-world problems with a number of products, such as Microsoft AD Replication and IBM’s Virtual Tape Library. Passing through a NAT breaks the application’s intended communication model and requires compensating mechanisms.

We are asking the wrong question if we say, “should I deploy IPv6 now”. Someone once told me that IPv6 was here to stay. To my way of thinking, it has not arrived after 25 years.

Let’s look at the situation where we want to merge two large company networks together that both make extensive use of NAT. This becomes more complex than if the two networks were originally using a valid replacement for IPv4 and sadly, that protocol doesn’t exist. While I agree with the notion that the Internet can’t be completely stateless, this doesn’t justify using NAT as middleware. Justifying NAT for the sake of IPv4 life-support is nonsensical.

We should appreciate NAT for its role as a tactical compensating mechanism for IPv4 address depletion, not a a strategic future-proofing scalability mechanism for IPv4. Really what many are saying about NAT is just putting lipstick on the IPv4 pig. Unfortunately, in IT there is nothing more permanent than a temporary solution. Let us not fall victim to this easy psychological trap only because we seem to have collectively painted ourselves into a corner of sorts.

FIR B2B PODCAST #97: NOTABLE HITS AND MISSES IN GDPR PITCHES

Posted on by
Reply

In my role as a journalist, I’ve been deluged with hundreds of pitches for GDPR-related stories, which went into effect last week. It didn’t help matters that on the first day the UK commissioner’s website was down for a couple of hours, an Austrian privacy advocate hit Facebook and Google with billions of euros in lawsuits and the privacy browser plug in Ghostery sent out emails about its change in policy, but inadvertently cc’d 500 user names in each batch of email.

In this episode of FIR B2B podcast (19 min.), I discuss the impact of GDPR with my partner Paul Gillin, who has seen his fair share of pitches as well. We discuss some of the best and worst PR pitches we received in the months running up to the launch of the General Data Privacy Regulation, and why a handful stood out.

SecurityIntelligence (IBM blog): Are ransomware attacks rising or falling?

Posted on by
Reply

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

Hedy Lamarr, The First Geek Movie Star

Posted on by
Reply

The story sounds almost like a Hollywood plot, except it is true: A young starlet doing nude scenes as a teenager, goes on to invent a critical wartime technology that is ignored by the US Navy but ultimately forms the basis of WiFi and cell phones that we use today. Of course, I am talking about the life and times of Hedy Lamarr, the subject of a 2017 documentary film called Bombshell that is available from the streaming services.

She was also the subject of a 2011 biography from Richard Rhodes. I heard Rhodes back when he was promoting his book. Rhodes is the author of many intriguing history of science works, including the story of the Manhattan Project, and his book is worth reading. So is the film, which is also based on a 1990 taped interview that was recently found.

She is a fascinating study in how someone with both beauty and brains can not necessarily make the best of both thee worlds, but was constantly reinventing herself.

The movie traces her acting career and has various clips, including scenes from the provocative film Ecstasy, the one cited earlier that began her career and was banned by Hitler eventually. Lamarr was even the basis of one character in Mel Brooks’ Blazing Saddles.

Both the film and the book show how one of Lamarr’s many inventions, which she developed with her music composer neighbor George Antheil, came about through an odd inquiry. Lamarr was interested in a boob job and Antheil had written about early efforts in that area, again presaging another important intersection of Hollywood and technology. The duo went on to get a patent for a new technique for frequency-hopping radio communications. While not taken seriously at the time, it ultimately was deployed by the military in the 1960s during the cold war. While the technique involved piano rolls, the basis of frequency hopping continues to be used as part of spread-spectrum radio communications that are in common use today. Along the way, Lamarr made many movies and married and divorced six husbands, the first of whom was a Nazi arms merchant that got her interested in developing new technology for the war effort once she fled to America. She lived to be honored by the Electronic Frontier Foundation a few years before she died in 2000.

It is hard for many of us to grok a movie star with her trips to the patent office and test tube rack in her trailer on the movie set, but she was the real deal.

Lamarr once said that “Any girl can be glamorous. All you have to do is stand still and look stupid.” She was anything but.

SecurityIntelligence blog: What Are the Legalities and Implications of Hacking Back?

Posted on by
Reply

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.

How Atlanta lost its ransomware battle

Posted on by
Reply

The story of how the city of Atlanta reacted against a ransomware attack at the end of March 2018 is instructive both in terms of what not to do and how expensive such an attack can become. The city actually experienced two separate attacks, one that began March 22 and another on April 5. This is just part of an overall trend where ransomware is on the rise. The Verizon Data Breach Investigations Report for 2018 says that ransomware has “overtaken all other forms of malware to be the most prevalent variety of malicious code for” 2017, and 2018 doesn’t look very different.

The first attack took down a number of city services, including online bill paying, the water department and court systems. Some law enforcement officers had to write their reports by hand. However, the city was able to make their municipal payroll and their city-owned airport continued with uninterrupted operations. The city was asked to pay $51,000 in ransom. A second attack hit the water department website again, according to Reuters. “I just want to make the point that this is much bigger than a ransomware attack,” said Keisha Lance Bottoms, the mayor of Atlanta. “This is really an attack on our government, which means it’s an attack on all of us. We are dealing with a hostage situation,” she said. But the mayor also admitted that cybersecurity wasn’t initially a high priority for her or the city, although it is now.

The first attack was based on the SamSam malware. CSOonline has details about the ransom notes and how they were tied to this particular malware strain. SamSam ransomware differs from other ransomware because the attackers don’t rely on user-based attack vectors, such as phishing campaigns. Instead, they use compromised hosts to gain a foothold and then move laterally through the network, taking their time to analyze weaknesses and points of leverage. This type of malware also hit the Colorado state Department of Transportation, which was able to restore its systems without paying any ransom. But then it was hit with a second attack a week later.

It seemed the Atlanta city government refused to pay based on subsequently events, when they hired a series of consultants to help fix things. Eventually, they will have spent more than $2 million in contracts with various consultants such as E&Y, Secureworks, Microsoft, CDW and others that the city has listed on its website.

Their first mistake was not heeding any early warnings about how ill-prepared they were, according to this report from a local TV station. Fixes were planned for the spring of 2018 but unfortunately not completed before the attacks happened.

But they compounded this mistake with a lot of sloppy IT work. One of the issues for Atlanta was how exposed it was. The city had open Windows RDP ports with no multi-factor authentication protection and also had open SMB shares and FTP servers too, making them very easy to access and infect. Rendition Infosec documents these issues in a blog post here. These consultants had found the infamous NSA-based DoublePulsar malware on several city computers last year — computers that weren’t patched for several weeks after their owners were notified. These delays in patching were one of the big reasons why the footprint of the ransomware was so large, and so difficult to contain.

Certainly, Atlanta isn’t the only city which has poorly prepared for potential attacks. A recent survey of municipal  IT workers found that most of them don’t know how frequently they are under attack, can’t determine who the attackers are and don’t even keep track of them when these attacks happen. The survey found that almost half of the respondents experience daily cyberattacks, and the researchers think this is even conservative. They conclude, “If local officials are going to do a better job protecting their information assets, they’ll first need to know a lot more about what’s actually happening.”

What can we learn from Atlanta? Lax security, delayed patching, sparse backups, lots of open ports for hackers to access all led to the inevitable. These are some of the reasons why getting its online sites up and running took them weeks, if not months. Ultimately, Atlanta IT needs to change their culture to fix these common mistakes and be more attentive.

But Atlanta was also behind the times when it comes to having top-shelf protection solutions. Reviewing whom they have paid since the breach, the city has purchased multiple protection solutions, including Forescout, temporary staffing, incident response services, and Duo authentication tools. That’s great but they should have been using these tools from the get-go.

Should they have paid the ransom? It is tempting to pay, particularly when you think (mistakenly, in the case of Atlanta) that your backups are fine. Yes, the economics of paying can be a better than the costs and consequences of trying to fix things yourself – if you are confident that the payment will actually result in decrypting your data and returning your systems back to a working state.

But that doesn’t always work, especially when you realize that your backups aren’t adequate. A business can still have disruptions, as we have seen with the aftermath of the Atlanta cleanup stretching well into the summer. And remember that you are dealing with criminals, who don’t necessarily have to give you anything in return for your ransom payment.  There is no guarantee that you will get your files decrypted, either. “Organizations should never have to think if paying the ransom is a better way out than restoring data compromised by ransomware,” says Rick Vanover, the director of product strategy for Veeam Software.

Finally, you need to vet your backup and recovery procedures, to make sure that they actually protect your data. “Organizations must have confidence in their backup architecture. It has to be resilient against threats such as ransomware today,” Vanover says. Atlanta never truly tested their recovery processes until it was too late. “One way to look at this is to pay now or pay later. Pay now to be resilient. Pay later to document that proper preparation was not in place.”

Gregory FCA blog: Get Your Cyber Security Firm Into Any News Story

Posted on by
Reply

It’s a precarious life for those who make a living marketing security services. The call could come anytime. From the product side or the C-Suite. I got together with

“Why aren’t we generating more awareness? Why does the media cover our competitors and not us? What can we do to create interest so that prospects know about us and include us in RFPs?”

Maybe it’s because your pitches aren’t creative enough?

Or they fail to understand how to engage the media?

Or they simply don’t give editors and reporters what they really want–and that’s something they haven’t heard before.

Consider these approaches:

1.  Fear sells and it’s a primary driver of media reporting. While the mass media is well aware of the Dark Web, they still don’t know enough and should report more on it to help protect their readers and viewers. What’s a cyber security firm to do? How about partnering with media on a story with a pitch that reads:

Subject: “We just did a Dark Web search on your three of your anchors, and what we found should scare you and your viewers.” 

The mass media–especially TV–loves it when their anchors or reporters personalize a story and put themselves in the shoes of their viewers. A smart PR campaign targets the media with that in mind, does the research and heavy lifting upfront and then offers to frame and work with them on the story.

2.  Crypto is all the rage. The media is desperately searching for clever ways to cover it and to engage and interest their readers and viewers in it. Cyptomining malware combines too big, fat scary angles to interest reporters with pitches like:

Subject: “How criminals are using your phone to make millions by mining bitcoins without you even knowing it.”

This angle brings to light an under reported threat that impacts general consumers and plays well to a wide range of media–everything from business magazines and TV news to popular magazines and morning network TV talk shows. A well constructed pitch that explains this threat and offers expert advice on protecting against it is exactly the kind of on-trend pitch the media jumps on.

3.  Make it contemporary. The very word NEWS comes from the root of NEW. The media loves to tie their stories to what’s happening in popular culture–even the trade and B2B media are open to the approach. Referencing entertainment, the news or pop culture provides a touchstone that immediately conveys meaning. Here’s a pitch that accomplishes all that and more:

Subject: “Liam Neeson they’re not. More companies are paying ransomware than trying to restore data from dated backup technologies.”

Where would you take your pitch from there? How about:

So you think you’re a tough guy like Liam Neeson in one of those hookey kidnap thrillers? And you’re ready to fight back if someone should hold ransom over your data?

No you’re not.

Increasingly companies are capitulating to data thieves and simply paying the ransom rather than from their own backup systems. Why? Many backup systems are simply too old and unreliable to…“.

So the next time you get that call questioning your PR strategy, remember, the media is often a willing partner in reporting on cyber security topics that impact the world. The key is to relate to the media on their terms, offering them creative angles that attract more viewers and readers to their online, print and broadcast properties. The undeniable pitch is for real and only limited by your own imagination and creativity or that of your PR partner.